voip security sip.edu workshop february 2007 walt magnussen, ph.d. director tamu itec
TRANSCRIPT
![Page 1: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/1.jpg)
VoIP SecuritySip.EDU workshop
February 2007
Walt Magnussen, Ph.D.
Director TAMU ITEC
![Page 2: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/2.jpg)
VoIP security• Major issues
– Span of control is often under separate entities on campus
– What is included – RTC
• VoIP
• H.323 and SIP video
• IM
• IPTV
– Separate network (virtual or physical) or converged.
– Is VoIP just another application or a service with specific requirements
– Is security a good or bad thing (layer 8, 9 and 10 issue)
![Page 3: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/3.jpg)
Crux of problem• RTC traffic has specific requirements ITU-T G.1050
![Page 4: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/4.jpg)
What to include:
• VoIP currently propritory versions of H.323 and SIP
• Video Conf. Mostly H.323 migrating to SIP
• IM - also supports SIP
• IPTV
![Page 5: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/5.jpg)
Network solutions
• Separate IP network – if so why change from TDM in the first place
• Separate Virtual Network (VLANs)– Not really complete seperation but good
enough?
• All on one network – Best effort – not recommended– QoS – costly to manage
![Page 6: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/6.jpg)
Security Approaches
• Three ways to architect security– Open– Use campus firewall– Use Session Border Controller for Voice
![Page 7: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/7.jpg)
Open approach
• Feel that:– security breaks more things than it fixes (adds
latency, jitter etc.– Security is the responsibilty of the end device,
not the network
• Any security device tends to break the true peer-to-peer relationship of SIP
![Page 8: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/8.jpg)
Use campus firewall
• Firewalls can be either state-free or statefull– Because of separation signaling and media,
must be statefull– Firewalls can do deep packet inspection but
may still miss many VoIP specific vulnerabilites (fuzzing, SPIT and sequential dialing)
![Page 9: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/9.jpg)
Session Border Controller
• Acts as back-to-back user agent.
• Can add other voice specific features– Peering redirects– MOS based call redirect– NAT transversal assistance– Transcoding with some– Error concelement (i.e. echo)– Access point for Lawful Intercept (CALEA)
![Page 10: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/10.jpg)
SBC demonstration
• A view of the TAMU ITEC Acme Packet SBC.
![Page 11: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/11.jpg)
SBC manufactures
• Acme Packet
• Nextone
• Ditech
![Page 12: VoIP Security Sip.EDU workshop February 2007 Walt Magnussen, Ph.D. Director TAMU ITEC](https://reader036.vdocuments.mx/reader036/viewer/2022072006/56649f515503460f94c7537f/html5/thumbnails/12.jpg)
Future directions
• VoIP authentication and encryption– Proposals include:
• TLS – used to encrypt signaling stream• SRTP – used to encrypt media stream
http://www.tmcnet.com/voip/1104/FeatureSecurity.htm
• VPN clients not easy to implement on hardphones (wireline and wireless)